Vulnerability Remediation: A Growing Concern for Security Teams
Remediation is Slow
A recent analysis by S&P Global Ratings and Guidewire has revealed a concerning trend in vulnerability remediation. According to the study, nearly three-quarters of organizations are either occasionally or infrequently remediating the vulnerabilities affecting their systems. This slow pace of remediation poses a significant risk to the security of computer systems.
Prioritization May Have Been Inadequate All Along
The Common Vulnerability Scoring System (CVSS) is a widely used framework for categorizing vulnerabilities. However, the analysis suggests that this system may be inadequate for prioritizing vulnerabilities. The CVSS system considers factors such as exploitability, difficulty of exploit, and impact of the exploit. However, it may not take into account additional metrics that could be valuable for more accurate prioritization.
The report recommends considering the Exploit Prediction Security Score (EPSS) system, developed by the Forum of Incident Response and Security Teams (FIRST). The EPSS system collects data on vulnerability information, exploit code availability, and social media mentions to generate probabilities for exploitation.
Age of the Vulnerability Plays a Role
The analysis found that older vulnerabilities are more likely to be exploited. A significant number of detected vulnerabilities originated from 2016, with nearly 75% of these vulnerabilities being publicly disclosed seven or more years ago. This persistent exploitation of aging vulnerabilities highlights the critical need for timely and effective vulnerability management.
Increasing Frequency of Discovered Vulnerabilities
The increasing frequency of discovered vulnerabilities makes it challenging for organizations to determine which ones to fix first. The report suggests that traditional CVSS-based prioritization may worsen security by contributing to delayed remediation.
Conclusion
The slow pace of vulnerability remediation is a growing concern for security teams. The increasing frequency of discovered vulnerabilities and the persistence of aging vulnerabilities underscore the need for effective vulnerability management. Organisations must prioritize remediation to ensure the security of their computer systems.
FAQs
Q: What is the current state of vulnerability remediation?
A: The current state of vulnerability remediation is slow, with nearly three-quarters of organizations either occasionally or infrequently remediating the vulnerabilities affecting their systems.
Q: What is the Common Vulnerability Scoring System (CVSS)?
A: The CVSS is a widely used framework for categorizing vulnerabilities, considering factors such as exploitability, difficulty of exploit, and impact of the exploit.
Q: What is the Exploit Prediction Security Score (EPSS) system?
A: The EPSS system is a framework that collects data on vulnerability information, exploit code availability, and social media mentions to generate probabilities for exploitation.
Q: How can organizations prioritize vulnerabilities effectively?
A: Organizations can prioritize vulnerabilities effectively by considering both the CVSS and EPSS scores, as well as other factors such as the age of the vulnerability and the likelihood of exploitation.
Q: What is the significance of the age of the vulnerability?
A: The age of the vulnerability plays a significant role, as older vulnerabilities are more likely to be exploited.
